Because I had a radius server ready with a group and secret present, was more easy for me if I can acomplish to have some linux machines to authenticate clients via the same radius server. Looks like it was not that easy that I was thinking. I tried multiple options like this and this but I failed.
Digging online, I found a solution and a workaround and I think it make sense to share this here. A very old unsupported application shared a way how to authenticate using a radius server (freeradius as a example).
It is possible to authenticate using the Radius Authentication protocol by a Radius server.
Make sure you install the following PAM to RADIUS authentication module that should be available in any debian/ubuntu distribution. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests. You will need to supply your own RADIUS server to perform the actual authentication.
apt-get install libpam-radius-auth
I would love to see another module available as a package but unfortunately needs to be clone and compile. ibnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. Basically is used to map your RADIUS authenticated users onto a locally provisioned user.
To do that you need to clone the github repository, make sure you have git installed or you can install it with:
apt-get install git
Then you can do this:
~# git clone https://github.com/donapieppo/libnss-ato Cloning into 'libnss-ato'... remote: Enumerating objects: 164, done. remote: Total 164 (delta 0), reused 0 (delta 0), pack-reused 164 Receiving objects: 100% (164/164), 31.91 KiB | 1.28 MiB/s, done. Resolving deltas: 100% (78/78), done. ~# cd libnss-ato/ ~# make gcc -fPIC -Wall -shared -o libnss_ato.so.2 -Wl,-soname,libnss_ato.so.2 libnss_ato.c make gcc libnss_ato_test.c -o libnss_ato_test ~# make install # remeber /lib/libnss_compat.so.2 -> libnss_compat-2.3.6.so /usr/bin/install -m 644 libnss_ato.so.2 ""/lib/libnss_ato-2.3.6.so /usr/bin/install -m 644 libnss-ato.3 ""/usr/share/man/man3 cd ""/lib && ln -fs libnss_ato-2.3.6.so libnss_ato.so.2 ~#
Add radius and secret to the configuration file:
Make sure you remove all other servers and at the end add the radius servers. If you have only one, just add only one.
192.168.1.100 secret_key_for_the_first 5 192.168.2.100 secret_key_for_the_second 5
Create a file configuration for libnss-ato:
and paste this:
The PAM configuration file for the sshd and login processes are found at
Add this line on the top of both files:
auth sufficient pam_radius_auth.so
The NSS configuration file is found at
/etc/nsswitch.conf. The top three entries in this file will look as follows:
passwd: compat ato group: compat shadow: compat ato
To test if authentication works, open another session and from cli run:
tail -f /var/log/auth.log
After you are logged in using your radius account, you ca run:
This has been tested on a Raspberry Pi 4 using:
~# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"